Arya: Nearly linear-time zero-knowledge proofs for correct program execution

There have been tremendous advances in reducing interaction, communication and verification time in zero-knowledge proofs but it remains an important challenge to make the prover efficient. We construct the first zero-knowledge proof of knowledge for the correct execution of a program on public and private inputs where the prover computation is nearly linear time. This saves a polylogarithmic factor in asymptotic performance compared to current state of the art proof systems. We use the TinyRAM model to capture general purpose processor computation. An instance consists of a TinyRAM program and public inputs. The witness consists of additional private inputs to the program. The prover can use our proof system to convince the verifier that the program terminates with the intended answer within given time and memory bounds. Our proof system has perfect completeness, statistical special honest verifier zero-knowledge, and computational knowledge soundness assuming linear-time computable collision-resistant hash functions exist. The main advantage of our new proof system is asymptotically efficient prover computation. The prover’s running time is only a superconstant factor larger than the program’s running time in an apples-to-apples comparison where the prover uses the same TinyRAM model. Our proof system is also efficient on the other performance parameters; the verifier’s running time and the communication are sublinear in the execution time of the program and we only use a log-logarithmic number of rounds

Compressed σ-protocol theory and practical application to plug & play secure algorithmics

Σ-Protocols provide a well-understood basis for secure algorithmics. Recently, Bulletproofs (Bootle et al., EUROCRYPT 2016, and Bünz et al., S&P 2018) have been proposed as a drop-in replacement in case of zero-knowledge (ZK) for arithmetic circuits, achieving logarithmic communication instead of linear. Its pivot is an ingenious, logarithmic-size proof of knowledge BP for certain quadratic relations. However, reducing ZK for general relations to it forces a somewhat cumbersome “reinvention” of cryptographic protocol theory. We take a rather different viewpoint and reconcile Bulletproofs with Σ-Protocol Theory such that (a) simpler circuit ZK is developed within established theory, while (b) achieving exactly the same logarithmic communication. The natural key here is linearization. First, we repurpose BPs as a blackbox compression mechanism for standard Σ-Protocols handling ZK proofs of general linear relations (on compactly committed secret vectors); our pivot. Second, we reduce the case of general nonlinear relations to blackbox applications of our pivot via a novel variation on arithmetic secret sharing based techniques for Σ-Protocols (Cramer et al., ICITS 2012). Orthogonally, we enhance versatility by enabling scenarios not previously addressed, e.g., when a secret input is dispersed across several commitments. Standard implementation platforms leading to logarithmic communication follow from a Discrete-Log assumption or a generalized Strong-RSA assumption. Also, under a Knowledge-of-Exponent Assumption (KEA) communication drops to constant, as in ZK-SNARKS. All in all, our theory should more generally be useful for modular (“plug & play”) design of practical cryptographic protocols; this is further evidenced by our separate work (2020) on proofs of partial knowledge

Phosphatidylinositol 3-Kinase -Selective Inhibition With Alpelisib (BYL719) in PIK3CA-Altered Solid Tumors: Results From the First-in-Human Study

PurposeWe report the first-in-human phase Ia study to our knowledge (ClinicalTrials.gov identifier: NCT01219699) identifying the maximum tolerated dose and assessing safety and preliminary efficacy of single-agent alpelisib (BYL719), an oral phosphatidylinositol 3-kinase (PI3K)-selective inhibitor.Patients and MethodsIn the dose-escalation phase, patients with PIK3CA-altered advanced solid tumors received once-daily or twice-daily oral alpelisib on a continuous schedule. In the dose-expansion phase, patients with PIK3CA-altered solid tumors and PIK3CA-wild-type, estrogen receptor-positive/human epidermal growth factor receptor 2-negative breast cancer received alpelisib 400 mg once daily.ResultsOne hundred thirty-four patients received treatment. Alpelisib maximum tolerated doses were established as 400 mg once daily and 150 mg twice daily. Nine patients (13.2%) in the dose-escalation phase had dose-limiting toxicities of hyperglycemia (n = 6), nausea (n = 2), and both hyperglycemia and hypophosphatemia (n = 1). Frequent all-grade, treatment-related adverse events included hyperglycemia (51.5%), nausea (50.0%), decreased appetite (41.8%), diarrhea (40.3%), and vomiting (31.3%). Alpelisib was rapidly absorbed; half-life was 7.6 hours at 400 mg once daily with minimal accumulation. Objective tumor responses were observed at doses 270 mg once daily; overall response rate was 6.0% (n = 8; one patient with endometrial cancer had a complete response, and seven patients with cervical, breast, endometrial, colon, and rectal cancers had partial responses). Stable disease was achieved in 70 (52.2%) patients and was maintained > 24 weeks in 13 (9.7%) patients; disease control rate (complete and partial responses and stable disease) was 58.2%. In patients with estrogen receptor-positive/human epidermal growth factor receptor 2-negative breast cancer, median progression-free survival was 5.5 months. Frequently mutated genes ( 10% tumors) included TP53 (51.3%), APC (23.7%), KRAS (22.4%), ARID1A (13.2%), and FBXW7 (10.5%).ConclusionAlpelisib demonstrated a tolerable safety profile and encouraging preliminary activity in patients with PIK3CA-altered solid tumors, supporting the rationale for selective PI3K inhibition in combination with other agents for the treatment of PIK3CA-mutant tumors

Updatable and Universal Common Reference Strings with Applications to zk-SNARKs

By design, existing (pre-processing) zk-SNARKs embed a secret trapdoor in a relation-dependent common reference strings (CRS). The trapdoor is exploited by a (hypothetical) simulator to prove the scheme is zero knowledge, and the secret-dependent structure facilitates a linear-size CRS and linear-time prover computation. If known by a real party, however, the trapdoor can be used to subvert the security of the system. The structured CRS that makes zk-SNARKs practical also makes deploying zk-SNARKS problematic, as it is difficult to argue why the trapdoor would not be available to the entity responsible for generating the CRS. Moreover, for pre-processing zk-SNARKs a new trusted CRS needs to be computed every time the relation is changed. In this paper, we address both issues by proposing a model where a number of users can update a universal CRS. The updatable CRS model guarantees security if at least one of the users updating the CRS is honest. We provide both a negative result, by showing that zk-SNARKs with private secret-dependent polynomials in the CRS cannot be updatable, and a positive result by constructing a zk-SNARK based on a CRS consisting only of secret-dependent monomials. The CRS is of quadratic size, is updatable, and is universal in the sense that it can be specialized into one or more relation-dependent CRS of linear size with linear-time prover computation

A novel fragment derived from the β chain of human fibrinogen, β43–63, is a potent inhibitor of activated endothelial cells in vitro and in vivo

Background: Angiogenesis and haemostasis are closely linked within tumours with many haemostatic proteins regulating tumour angiogenesis. Indeed we previously identified a fragment of human fibrinogen, fibrinogen E-fragment (FgnE) with potent anti-angiogenic properties in vitro and cytotoxic effects on tumour vessels in vivo. We therefore investigated which region of FgnE was mediating vessel cytotoxicity. Methods: Human dermal microvascular endothelial cells (ECs) were used to test the efficacy of peptides derived from FgnE on proliferation, migration, differentiation, apoptosis and adhesion before testing the efficacy of an active peptide on tumour vasculature in vivo. Results: We identified a 20-amino-acid peptide derived from the β chain of FgnE, β43–63, which had no effect on EC proliferation or migration but markedly inhibited the ability of activated ECs to form tubules or to adhere to various constituents of the extracellular matrix – collagen IV, fibronectin and vitronectin. Furthermore, our data show that β43–63 interacts with ECs, in part, by binding to αvβ3, so soluble αvβ3 abrogated β43–63 inhibition of tubule formation by activated ECs. Finally, when injected into mice bearing tumour xenografts, β43–63 inhibited tumour vascularisation and induced formation of significant tumour necrosis. Conclusions: Taken together, these data suggest that β43–63 is a novel anti-tumour peptide whose anti-angiogenic effects are mediated by αvβ3

LWE with side information: Attacks and concrete security estimation

We propose a framework for cryptanalysis of lattice-based schemes, when side information—in the form of “hints”—about the secret and/or error is available. Our framework generalizes the so-called primal lattice reduction attack, and allows the progressive integration of hints before running a final lattice reduction step. Our techniques for integrating hints include sparsifying the lattice, projecting onto and intersecting with hyperplanes, and/or altering the distribution of the secret vector. Our main contribution is to propose a toolbox and a methodology to integrate such hints into lattice reduction attacks and to predict the performance of those lattice attacks with side information. While initially designed for side-channel information, our framework can also be used in other cases: exploiting decryption failures, or simply exploiting constraints imposed by certain schemes (LAC, Round5, NTRU). We implement a Sage 9.0 toolkit to actually mount such attacks with hints when computationally feasible, and to predict their performances on larger instances. We provide several end-to-end application examples, such as an improvement of a single trace attack on Frodo by Bos et al. (SAC 2018). In particular, our work can estimates security loss even given very little side information, leading to a smooth measurement/computation trade-off for side-channel attacks

Triptych: logarithmic-sized linkable ring signatures with applications

Ring signatures are a common construction used to provide signer ambiguity among a non-interactive set of public keys specified at the time of signing. Unlike early approaches where signature size is linear in the size of the signer anonymity set, current optimal solutions either require centralized trusted setups or produce signatures logarithmic in size. However, few also provide linkability, a property used to determine whether the signer of a message has signed any previous message, possibly with restrictions on the anonymity set choice. Here we introduce Triptych, a family of linkable ring signatures without trusted setup that is based on generalizations of zero-knowledge proofs of knowledge of commitment openings to zero. We demonstrate applications of Triptych in signer-ambiguous transaction protocols by extending the construction to openings of parallel commitments in independent anonymity sets. Signatures are logarithmic in the anonymity set size and, while verification complexity is linear, collections of proofs can be efficiently verified in batches. We show that for anonymity set sizes practical for use in distributed protocols, Triptych offers competitive performance with a straightforward construction

Reusable Non-Interactive Secure Computation

We consider the problem of Non-Interactive Secure Computation (NISC), a 2-message ``Sender-Receiver\u27\u27 secure computation protocol that retains its security even when both parties can be malicious. While such protocols are easy to construct using garbled circuits and general non-interactive zero-knowledge proofs, this approach inherently makes a non-black-box use of the underlying cryptographic primitives and is infeasible in practice. Ishai et al. (Eurocrypt 2011) showed how to construct NISC protocols that only use parallel calls to an ideal oblivious transfer (OT) oracle, and additionally make only a black-box use of any pseudorandom generator. Combined with the efficient 2-message OT protocol of Peikert et al. (Crypto 2008), this leads to a practical approach to NISC that has been implemented in subsequent works. However, a major limitation of all known OT-based NISC protocols is that they are subject to selective failure attacks that allows a malicious sender to entirely compromise the security of the protocol when the receiver\u27s first message is reused. Motivated by the failure of the OT-based approach, we consider the problem of basing \emph{reusable} NISC on parallel invocations of a standard arithmetic generalization of OT known as oblivious linear-function evaluation (OLE). We obtain the following results: - We construct an information-theoretically secure reusable NISC protocol for arithmetic branching programs and general zero-knowledge functionalities in the OLE-hybrid model. Our zero-knowledge protocol only makes an absolute constant number of OLE calls per gate in an arithmetic circuit whose satisfiability is being proved. As a corollary, we get reusable NISC/OLE for general Boolean circuits using any one-way function. - We complement this by a negative result, showing that reusable NISC/OT is impossible to achieve, and a more restricted negative result for the case of the zero-knowledge functionality. This provides a formal justification for the need to replace OT by OLE. - We build a universally composable 2-message OLE protocol in the CRS model that can be based on the security of Paillier encryption and requires only a constant number of modular exponentiations. This provides the first arithmetic analogue of the 2-message OT protocols of Peikert et al. (Crypto 2008). - By combining our NISC/OLE protocol and the 2-message OLE protocol, we get protocols with new attractive asymptotic and concrete efficiency features. In particular, we get the first (designated-verifier) NIZK protocols where following a statement-independent preprocessing, both proving and verifying are entirely ``non-cryptographic\u27\u27 and involve only a constant computational overhead